b'    U.S. Department of the Interior\n    Office of Inspector General\n\n\n\n\n                AUDIT REPORT\n\n\n     FOLLOWUP OF MAINFRAME COMPUTER\n         POLICIES AND PROCEDURES,\n      ADMINISTRATIVE SERVICE CENTER,\n          BUREAU OF RECLAMATION\n\n                  REPORT NO. 98-I-623\n                      AUGUST 1998\n\n\n\n\ni\n\x0c                                                                       A-ILBOR-00 l-97\n\n\n              United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                   Washington, D.C. 20240\n                                                               AUG 20 1998\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:        Commissioner, Bureau of Reclamation\n\nFrom:      Robert J. Williams\n           Assistant Inspector\n\nSubject:   Audit Report on Follow-up of Mainframe Computer Policies and Procedures,\n           Administrative Service Center, Bureau of Reclamation (NO. 98-I-623)\n\n                                 INTRODUCTION\n\nThis report presents the results of our followup audit of recommendations contained in our\nMarch 1997 audit report \xe2\x80\x9cMainframe Computer Policies and Procedures, Administrative\nService Center, Bureau of Reclamation\xe2\x80\x9d (No. 97-I-683). We performed this audit in support\nof audits of the annual financial statements of the Bureau of Reclamation and the Service\nCenter\xe2\x80\x99s clients. Annual financial statements are required by the Chief Financial Officers\nAct. The objective of this audit was to determine whether (1) the Service Center had\nsatisfactorily implemented the recommendations made in our prior audit report and whether\nany new recommendations were warranted and (2) the Service Center\xe2\x80\x99s general controls were\neffective over computer center management and operations, software change management,\nand mainframe computer operating system software.\n\nBACKGROUND\n\nThe Bureau of Reclamation\xe2\x80\x99s Administrative Service Center in Denver, Colorado, is one of\ntwo Administrative Service Centers within the Department of the Interior. The Service\nCenter\xe2\x80\x99s mission \xe2\x80\x9cis to improve economy and efficiency in Government through the delivery\nof standard. automated administrative systems.\xe2\x80\x9d Specifically, the Service Center provides\n(1) consolidated payroll and personnel services for about 97,000 employees in the\nDepartment of the Interior and eight other Federal agencies and (2) Government accounting,\nintegrated budgeting, and reporting services through the Federal Financial System (FFS) to\nthree Departmental and five other Federal agencies. At the time of our audit. payroll and\npersonnel services were provided through the Payroll/Personnel System (PAYPERS) and\nthe Federal Personnel Payroll System (FPPS) that was in the latter stages of development.\nThe implementation of FPPS, which is to replace PAY/PER& began in September 1997\nwith the conversion of three Departmental agencies from PAY/PERS. The remaining\nDepartmental and non-Departmental agencies are to be converted to FPPS by December 30,\n\x0c1998. In addition, a new client, the Social Security Administration, was added in March\n1998, which increased the number of payroll accounts by about 65,000.\n\nThe Service Center provides its services on a cost-reimbursable basis, and this\nreimbursement faction is administered through the Bureau\xe2\x80\x99s Working Capital Fund. The\nService Center is organized into seven divisions that \xe2\x80\x9cprovide data center, application,\nsystem, and operational support to the organization and clients\xe2\x80\x9d as follows:\n\n        - The ADP Services Division is responsible for (1) planning, developing, and\noperating the Service Center\xe2\x80\x99s computer center functions and (2) operating and maintaining\ncomputers, system software, and data communication networks. To assist the Division in\ncarrying out its functions, the Service Center has contracted with Tri-Cor Industries, Inc. The\nDivision provides data processing support for the Departmental standardized administrative\nsensitive systems.\xe2\x80\x99 To support these systems, the computer center operates an IBM\nmainframe computer using the \xe2\x80\x9cOS/390\xe2\x80\x9d operating system to manage the processing work\nload. The access control security software installed on the mainframe computer is the\nResource Access Control Facility (RACF),\xe2\x80\x99 which controls users\xe2\x80\x99 and computer programs\xe2\x80\x99\naccess to the mainframe computer resources. Additionally, other system software, such as\ndatabase management, telecommunications, and specialized vendor software, reside on the\nmainframe computer and are used to support the sensitive systems. Data center operations\nprovide users with computer and communications equipment and infrastructure, systems\nsoftware, and operational support. The Division manages data center operations through\nscheduling activities, planning for contingencies and capacity, and providing user support.\nThe Division also manages the information resources security program.\n\n         - The FPPS Division is responsible for managing the development, implementation,\nand operation of the FPPS application. These responsibilities include controlling software\nchanges; providing technical assistance to users; and managing tests of the application,\nconverting data, and implementing the FPPS application. To assist the Division in carrying\nout its functions, the Service Center has contracted with the Computer Sciences Corporation.\n\n      - The Application Management Office directs the program activities of the\nDepartmental administrative applications assigned to the Service Center.\n\n       - The PAY/PERS Division operates and maintains PAY/PERS. However, when all\nagencies have been converted to FPPS, the PAY/PERS Division will no longer exist.\n\n\n\xe2\x80\x98According to the National Institute of Standards and Technology, sensitive systems are defined as \xe2\x80\x9csystems\nthat contain any information, the loss, misuse, or unauthorized access to or modification of which could\nadversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals\nare entitled under the Privacy Act, but which has not been specifically authorized under criteria established by\nan Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign\npolicy.\xe2\x80\x9d\n\n*RACF is an IBM-licensed product that provides access control by identifying and verifying users to the\nsystem, authorizing access to protected resources, logging detected accesses to protected resources, and logging\ndetected unauthorized attempts to enter the system.\n\n                                                        2\n\x0c        - The Payroll Operations Division plans, develops, executes, and manages the\ninteragency payroll program delivered by the Service Center and performs payroll\nadministration and services for all payroll clients.\n\n        - The Financial Systems Division provides functional and technical support to\nclients using FFS and related financial applications.\n\n        - The Management Services Division provides Service Center administrative\nsupport.\n\nSCOPE OF AUDIT\n\nThe scope of our followup audit included an evaluation of the actions taken by Service\nCenter management to implement the 24 recommendations made in our March 1997 audit\nreport and a review of the general controls in place during fiscal year 1997. To accomplish\nour objective, we interviewed Service Center and contractor personnel, reviewed systems\ndocumentation, observed and became familiar with computer center operations, analyzed\nsystem security, reviewed system and application software maintenance procedures, and\nreviewed and tested implementation of the prior audit recommendations. Because our review\nwas limited to evaluating the adequacy of internal controls at the Service Center, we did not\ntest the effectiveness of the internal controls at the various agencies and clients supported by\nthe Service Center.\n\nOur audit was conducted in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued\nby the Comptroller General of the United States. Accordingly, we included such tests of\nrecords and other auditing procedures that were considered necessary under the\ncircumstances.\n\nAs part of our audit, we evaluated the Service Center\xe2\x80\x99s general controls over its mainframe\ncomputer and application systems that could adversely affect the data processing\nenvironment. The control weaknesses that we identified are summarized in the Results of\nAudit section and discussed further in Appendix 1 of this report. If implemented, our\nrecommendations should improve the general controls in the areas cited. Because of inherent\nlimitations in any system of internal controls, losses, noncompliance, or misstatements may\noccur and not be detected. We also caution that projecting our evaluations to future periods\nis subject to the risk that controls or the degree of compliance with the controls may\ndiminish.\n\nPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, the General Accounting Office has not issued any reports related to\nthe scope of this audit. However, the Office of Inspector General has issued two related\nreports as follows:\n\x0c    - The March 1994 audit report \xe2\x80\x9cCompliance With the Computer Security Act of 1987,\nDenver Administrative Service Center, Bureau of Reclamation\xe2\x80\x9d (No.94-I-3 57) stated that the\nService Center generally complied with the requirements of the Computer Security Act of\n1987 but that improvements were needed in the areas of security and operations. Since the\nService Center was addressing all of the deficiencies identified, the report contained no\nrecommendations.\n\n     - The March 1997 audit report \xe2\x80\x9cMainframe Computer Policies and Procedures,\nAdministrative Service Center, Bureau of Reclamation\xe2\x80\x9d (No.97-I-683) stated that\ndeficiencies identified in our March 1994 report relating to performing a risk analysis of the\nService Center\xe2\x80\x99s local area networks and separating duties by using RACF security software\nstill existed. This report contained 24 recommendations for improving management and\ninternal controls at the Service Center. We reviewed actions taken by Service Center\nmanagement to implement these recommendations as part of our current audit, the results of\nwhich are summarized in the Results of Audit section and discussed in Appendix 2 of this\nreport.\n\n                              RESULTS OF AUDIT\n\nRegarding the prior report\xe2\x80\x99s recommendations, we found that the Bureau of Reclamation\xe2\x80\x99s\nAdministrative Service Center management had satisfactorily implemented 21 of the 24\nrecommendations (see Appendix 2). Of the three remaining recommendations, one\nrecommendation (No. D.3) was scheduled for completion by September 30, 1998, and we\nconsidered the planned actions adequate to correct the deficiencies identified. We considered\nthe remaining two recommendations (Nos. G.2 and J.l) partially implemented because\nactions had not been completed to fully correct the previously identified deficiencies. The\nactions taken to implement the 2 1 recommendations have improved the controls in the areas\nof local area network protection; application access; mainframe system physical and logical\nsecurity; and contingency planning, backup, and disaster recovery.\n\nRegarding the general controls, we believe that overall, the general controls were operating\nwith no material weaknesses. However, we found general control weaknesses in the areas\nof computer center management and operations, software change management, and\nmainframe computer operating system software that were present during fiscal year 1997.\nOffice of Management and Budget Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d which defines minimal sets of controls for managing Federal information\nresources, and National Institute of Standards and Technology publications require Federal\nagencies to establish and implement computer security and management and internal controls\nto improve the protection of sensitive information in the computer systems of executive\nbranch agencies. Additionally, the Congress has enacted laws, such as the Privacy Act of\n1974 and the Computer Security Act of 1987, to improve the security and privacy of\nsensitive information in computer systems by requiring executive branch agencies to ensure\nthat the level of computer security and controls is adequate. Also, the Departmental Manual\noutlines (1) the requirements related to security clearance programs, suitability, and types of\nsecurity investigations and (2) the process for determining position sensitivity. However,\n\n\n                                              4\n\x0cService Center management did not ensure that controls were implemented and were\noperating effectively and in compliance with established criteria. Specifically, we found that\ngeneral control practices and processes were not complied with, the appropriate security\nlevels were not assigned to automated data processing (ADP)-related positions, some\nmainframe computer functions were not operated efficiently, software change management\ncontrols were not complied with, and mainframe computer operating system software tools\nand settings had not been implemented to ensure system and data integrity. As a result, there\nwas an increased risk of unauthorized access to, modification of, and disclosure of client-\nsensitive data; inefficient Service Center operations; and loss of system and data integrity.\n\nOverall, we identified 6 weaknesses and made 14 recommendations for improving the\ngeneral controls at the Service Center. The weaknesses in the areas of computer center\nmanagement and operations, software change management controls, and mainframe\ncomputer operating system software are discussed in the following paragraphs, and details\nof the weaknesses and our respective recommendations to correct these weaknesses are in\nAppendix 1.\n\nComputer Center Management and Operations\n\nWe found that Government and contractor employees who filled ADP-related sensitive and\ncritical positions did not have proper background clearances. Without information on the\nsecurity-related background of personnel assigned to sensitive and critical positions, there\nwas an increased risk that sensitive systems could be impaired or compromised. In addition,\nService Center operations could be improved if some mainframe computer functions, such\nas moving changed software from the test environment to the production environment\nprocess and scheduling computer production, were centralized, and a standardized software\nchange control tool was used. When mainframe computer functions are decentralized and\nnot standardized, there is an increased risk of inefficient operations and unnecessary costs.\nWe made three recommendations to address these weaknesses.\n\nSoftware Change Management Controls\n\nWe found control weaknesses in the area of managing software changes made to the FPPS\napplication and to the mainframe computer operating system. Because of the weak controls,\nthere was an increased risk that unauthorized changes could be made to the sensitive FPPS\napplication and to the critical operating system, which could affect application and system\nintegrity. We made seven recommendations to address these weaknesses.\n\nMainframe Computer Operating System Software\n\nWe found that the Service Center had not implemented the available operating system\nsoftware tools which would improve (1) the effectiveness of access controls to the mainframe\ncomputer resources and (2) mainframe computer system processing and data integrity. As\na result, the risk was increased that access controls could be bypassed and unauthorized\n\n\n                                              5\n\x0cactivities would not be detected. We made four recommendations to address the weaknesses\nin this area.\n\nBureau of Reclamation Response and Office of Inspector General Reply\n\nIn the June 17, 1998, response (Appendix 3) to the draft report from the Commissioner,\nBureau of Reclamation, the Bureau concurred with all 14 of the new recommendations.\nBased on the response, we consider Recommendations C. 1 and C.2 resolved and\nimplemented and Recommendations A. 1, A.2, B. 1, C.3, D. 1, D.2, D.3, D.4, E. 1, E.2, F. 1,\nand F.2 resolved but not implemented. Accordingly, the unimplemented recommendations\nwill be referred to the Assistant Secretary for Policy, Management and Budget for tracking\nof implementation (see Appendix 4).\n\nIn its response, the Bureau said that \xe2\x80\x9cthe report language regarding the FPPS system did not\nadequately consider that FPPS was under development during the time of the audit.\xe2\x80\x9d We\ndisagree. We clearly identified in Finding C that the weaknesses occurred during the latter\nstages of development and the early stages of implementation. However, we have added\nwording (page 1) to further clarify that the FPPS was in the latter stages of development\nduring the period of our review.\n\nRegarding our March 1997 report, we consider 2 1 recommendations resolved and\nimplemented and the remaining 3 recommendations (Nos. D.3, G.2, and 5.1) partially\nimplemented. Accordingly, updated information on the status of the three prior\nrecommendations will be forwarded to the Assistant Secretary for Policy, Management and\nBudget (see Appendix 5).\n\nSince the recommendations contained in this report are considered resolved, no further\nresponse to the Office of Inspector General is required (see Appendix 4).\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued, actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Bureau personnel in the conduct of our audit.\n\x0c                                                                                      APPENDIX 1\n                                                                                       Page 1 of 11\n\n\n\n\nDETAILS OF WEAKNESSES AND RECOMMENDATIONS\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\n\nA. Background Clearances\n\nCondition: In our prior report, we recommended that Service Center management require\n           all contractor employees to have proper background clearances. However,\n           during our current audit, we found that contractor personnel at the ADP\n           Services Division had received background clearances but that not all\n           contractor personnel at the FPPS and Financial Systems Divisions had received\n           background clearances. Additionally, Service Center Federal personnel\n           involved in designing, developing, operating, or maintaining sensitive\n           automated systems did not have background checks and security clearances\n           commensurate with their job responsibilities and the sensitivity of the\n           information accessed. Specifically, 154 of the 189 Service Center employees\n           who performed these ADP-related duties did not have the appropriate ADP\n           background clearances.\n\nCriteria:   Office of Management and Budget Circular A- 130, Appendix III, \xe2\x80\x9cSecurity of\n            Federal Automated Information Resources,\xe2\x80\x9d requires agencies to establish and\n            manage security policies, standards, and procedures that include requirements\n            for screening individuals participating in the design, development, operation,\n            or maintenance of sensitive applications or those having access to sensitive\n            data. In addition, the Departmental Manual (441 DM 4.6) requires position\n            sensitivity levels of \xe2\x80\x9cnon-critical sensitive\xe2\x80\x9d or \xe2\x80\x9ccritical sensitive\xe2\x80\x9d and associated\n            security clearances for ADP-related positions for which employees are required\n            to design, test, operate, and maintain sensitive computer systems. Security\n            clearances are also required of employees who have access to or process\n            sensitive data requiring protection under the Privacy Act of 1974. Further, the\n            Departmental Manual (441 DM 5.15) requires that all consultants or\n            contractors performing ADP-related sensitive and critical duties have\n            background investigations to determine position suitability and to receive a\n            security clearance.\n\nCause:      Service Center management had not uniformly developed and implemented,\n            across all Service Center Divisions, personnel security policies requiring\n            contractor personnel who perform ADP-related sensitive and critical duties to\n\n                                              7\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 2 of 11\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n              be screened for position suitability. Additionally, Service Center management\n              did not ensure that the level of position sensitivity for ADP-related positions\n              was assigned at the level commensurate with the risk and sensitivity of the data\n              accessed and processed and that background checks were performed on\n              employees who filled these positions.\n\nEffect:       Without proper personnel background investigations, managers had limited\n              knowledge of the suitability of their employees and contractors, from a security\n              standpoint, for their respective jobs. Without this assurance, there was an\n              increased risk that the Service Center\xe2\x80\x99s sensitive systems could be impaired or\n              compromised by personnel.\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Develop and implement policies and procedures which require contractor employees\nwho fill ADP-related sensitive or critical positions to have documented suitability screening\nand proper background investigations and appropriate security clearances.\n\n    2. Evaluate the position sensitivity of ADP-related positions, assign position sensitivity\nlevels in accordance with the Departmental Manual, and ensure that those employees\nworking on sensitive systems have the proper background investigations and security\nclearances before they are assigned to the positions.\n\n\n\n\n                                              8\n\x0c                                                                              APPENDIX 1\n                                                                               Page 3 of 11\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nB. Operating Efficiencies\n\nCondition: At the Service Center, each division controlled the process of moving changed\n           software from the test to the production environment, different software tools\n           were used to control the movement of the changed software, and internal and\n           external clients controlled their mainframe computer production scheduling.\n\nCriteria:    Office of Management and Budget Circular A-l 30 states that management\n             should oversee its processes to maximize return on investment and minimize\n             financial and operational risk. Further, the Circular requires that financial\n             management systems conform to the requirements of Office of Management\n             and Budget Circular A- 127, \xe2\x80\x9cFinancial Management Systems.\xe2\x80\x9d Circular A- 127\n             requires that agency financial management systems process financial events\n             effectively and efficiently.\n\nCause:       Service Center management did not ensure that its processes were operating\n             efficiently because of preferences of internal and external clients and because\n             management had not developed and implemented consistent standards for\n             controlling operational processes.\n\nEffect:      There was an increased risk that changed software would negatively impact the\n             mainframe computer operating system; costs of maintaining different software\n             tools would increase Service Center operating costs, which would be passed on\n             to clients; and mainframe computer usage could be reduced. Additionally,\n             without centralized control of production scheduling, there was an increased\n             risk that critical processing jobs would not receive the required priority.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, in coordination with the\nService Center\xe2\x80\x99s internal and external clients, evaluate the feasibility of centralizing the\nprocess of moving changed software from the test environment to the production\nenvironment, using standardized software tools to control the software change process, and\ncentralizing mainframe computer production scheduling.\n\x0c                                                                                         APPENDIX 1\n                                                                                          Page4ofll\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nC. Application Software Change Management Controls\n\nCondition: Software changes made to the FPPS during the latter stages of development and\n           the early stages of implementation were not approved, reviewed, or evaluated\n           adequately before changed software was installed for use in production;\n           documentation was not adequate to monitor changes made to the software; and\n           available library control software\xe2\x80\x99 was not implemented to ensure consistency\n           and completeness throughout the FPPS application.\n\nCriteria:      Federal Information Processing Standards Publication 106, \xe2\x80\x9cGuideline on\n               Software Maintenance,\xe2\x80\x9d provides guidelines for managing software\n               maintenance. Publication 106 states that all software changes should be\n               carefully evaluated and formally reviewed prior to installing the changed\n               software. The publication further states, \xe2\x80\x9cIn order to monitor maintenance\n               effectively, all activities must be documented. . . . The key to successful\n               documentation is that not only must the necessary information be recorded, it\n               must be easily and quickly retrievable by the maintainer.\xe2\x80\x9d In addition, FPPS\n               Division policies and procedures require that all changes to the FPPS\n               application be thoroughly documented, be accepted by all involved parties, and\n               pass a quality assurance review.\n\nCause:         FPPS Division management did not ensure that Division personnel followed\n               software change management practices for making software changes to the\n               FPPS application because of the time constraints to implement FPPS and\n               because FPPS was encountering problems and was considered by Division\n               personnel to be unstable. In addition, we found that FPPS Division\n               management did not hold its personnel accountable for complying with\n               Division policies and procedures when they made changes to the FPPS\n               application. Further, FPPS Division management said that they did not\n               implement the available library control software, which would ensure adequate\n               documentation of the FPPS application, because at that time, the vendor library\n               control software was not working correctly.\n\nEffect:        There was an increased risk that the changes made to the FPPS application\n               would not perform according to specifications, which could adversely affect\n               user satisfaction and could adversely impact other applications interfacing with\n               the FPPS application or the mainframe operating system.\n\n\n\n\xe2\x80\x98Library control software is a system for keeping track of changes to and versions of software programs,\ndocumenting components to build executable programs, and preventing unauthorized access to program files.\n\n                                                   10\n\x0c                                                                             APPENDIX 1\n                                                                              Page 5 of 11\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n   1. Require that software changes be adequately reviewed and approved before the\nchanges are implemented.\n\n    2. Implement procedures to ensure that all software changes to the FPPS application are\nproperly documented.\n\n   3. Implement the available library control software when corrected to ensure adequate\ndocumentation of the FPPS application.\n\n\n\n\n                                            11\n\x0c                                                                               APPENDIX 1\n                                                                                Page 6 of 11\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nD. Operating System Software Change Management\n\nCondition: Change controls over the mainframe computer operating system software were\n           not adequate. The ADP Services Division change control procedures did not\n           address adequate separation of duties between the development, test, and\n           installation functions. Thus, one individual could perform all of these critical\n           functions. In addition, the change control procedures did not ensure that all\n           changes were properly approved by Division management. While the change\n           management procedures required approval of all software changes, changes\n           were made without documented evidence of approval.\n\nCriteria:    Appendix III of Office of Management and Budget Circular A-l 30 states that\n             one of the minimum controls required in a general support system is personnel\n             controls. One such control is separation of duties, which is \xe2\x80\x9cthe practice of\n             dividing the steps in a critical function among different individuals.\xe2\x80\x9d Also,\n             Federal Information Processing Standards Publication 106 states that \xe2\x80\x9cto be\n             effective, the policy should be consistently applied and must be supported and\n             promulgated by upper management to the extent that it establishes an\n             organizational commitment to software maintenance.\xe2\x80\x9d In addition, Publication\n             106 states that \xe2\x80\x9cprior to installation, each change (correction, update, or\n             enhancement) to a system should be formally reviewed.\xe2\x80\x9d Finally, Division\n             system change request procedures require that all change requests be approved\n             by the appropriate branch chief.\n\nCause:      ADP Services Division management did not ensure that appropriate separation\n            of duties existed in developing and testing mainframe operating system\n            software and parameter changes and in moving operating system software and\n            parameter changes into the production environment, although the number of\n            employees within the Division may allow for a separation of these duties.\n            Additionally, Division management had not implemented controls to ensure\n            that the process of making system software changes was in compliance with its\n            documented procedures. Further, management had not implemented procedures\n            to require periodic reviews of critical datasets and system parameters to identify\n            inappropriate changes to the mainframe operating system environment.\n            Although Division management had implemented a change control software\n            tool that provided a systematic and automated means of controlling the\n            movement of software changes, all the capabilities of the software tool were not\n            implemented because of other Division priorities.\n\n\n\n\n                                             12\n\x0c                                                                            APPENDIX 1\n                                                                             Page 7 of 11\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nEffect:      There was an increased risk that unauthorized, untested, and undocumented\n             changes could be made to the mainframe computer operating system software\n             and parameters, which would affect system processing and data integrity, and\n             that these changes would not be detected or detected in a timely manner.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate current ADP Services Division procedures and determine the feasibility of\nimplementing controls in the change management process over operating system software\nto ensure that adequate separation of duties is addressed and complied with.\n\n    2. Develop procedures and implement controls to ensure that changes to the operating\nsystem parameters are identified, approved by ADP Services Division management, and\ndocumented.\n\n    3. Develop procedures requiring periodic reviews of critical datasets and system\nparameters.\n\n    4. Evaluate implementing available capabilities in the current change control software\ntool to more effectively control changes to the operating system software.\n\n\n\n\n                                           13\n\x0c                                                                                              APPENDIX 1\n                                                                                               Page 8 of 11\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\n\nE. System Audit Tools\n\nCondition: Service Center management did not use available mainframe computer\n           operating system audit tools that would improve integrity over system\n           processing and data and that would detect inappropriate actions by authorized\n           users. Specifically:\n\n                    - Operating system integrity verification and audit software was not used.\n                Such software could assist data center and installation security management in\n                identifying and controlling the mainframe computer operating system\xe2\x80\x99s security\n                exposures that may result from system setting options; from installing \xe2\x80\x9cback\n                doors\xe2\x80\x9d to the operating system; and from introducing viruses and Trojan horses,\n                which can destroy production dependability and circumvent existing security\n                measures.\n\n                    - Computer operators and system programmers had the capability to change\n                the system initialization process and thus affect system processing. System\n                options that would log the results in the SYSLOG* of actions taken by the\n                computer operators and system programmers affecting mainframe operating\n                system configuration were not implemented. Therefore, an audit trail of the\n                system initialization process and changes to the operating system configuration\n                could not be produced for periodic review. Based on recommendations made\n                by our audit staff during the review, Service Center management implemented\n                the logging capabilities within the system; however, procedures had not been\n                developed and implemented to require periodic reviews of the logs.\n\n                     - Periodic reviews of critical System Management Facility (SMF)3 logs to\n                identify unauthorized changes to data by authorized users and critical events\n                affecting system processing were not performed. For example, reviews were\n                not performed of record type 7, which records when the system audit trail is\n                lost, and record type 90, which records events such as SET TIME, SET DATE,\n                and SET SMF, all of which affect system processing and audit trails.\n\n\n\n*SY SLOG is an audit trail that logs the results of actions taken by computer operators and system programmers\nduring system initialization.\n\n3The System Management Facility (SMF) logs record all system activity and serve as an audit trail of system\nactivity, including identifying users who performed the activity.\n\n                                                      14\n\x0c                                                                               APPENDIX 1\n                                                                                Page 9 of 11\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\n\nCriteria:    Appendix III of Office of Management and Budget Circular A-l 30 requires\n             agencies to establish controls to ensure adequate security for all information\n             processed, transmitted, or stored in Federal automated information systems. In\n             addition, the Circular states that individual accountability is one of the\n             personnel controls required in a general support system. The Circular further\n             states that an example of one of the controls to ensure individual accountability\n             includes reviewing or looking at patterns of users\xe2\x80\x99 behavior, which requires\n             periodic reviews of the audit trails. Also, the National Institute of Standards\n             and Technology\xe2\x80\x99s \xe2\x80\x9cAn Introduction to Computer Security: The NIST\n             Handbook\xe2\x80\x9d states that audit trails are \xe2\x80\x9ctechnical mechanisms\xe2\x80\x9d to achieve\n             individual accountability.\n\nCause:       Service Center management did not acquire operating system integrity and\n             verification software, did not encourage the use of available system audit trails\n             to detect and identify inappropriate actions affecting the system processing and\n             data integrity, and did not establish procedures requiring periodic reviews of\n             available system logs. Instead, Service Center management relied on its staff\n             to make appropriate changes to the system initialization process and on\n             authorized users to make only appropriate changes.\n\nEffect:      As a result, there was an increased risk that mainframe computer operating\n             system security exposures would not be identified. Additionally, without\n             periodic reviews of the system audit trails, there was an increased risk that\n             processing problems or unauthorized activities would not be detected or\n             detected timely and that the responsible individuals would not be held\n             accountable for the inappropriate actions.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate acquiring system verification and auditing software.\n\n    2. Develop and implement procedures to ensure that periodic reviews are performed of\nthe SYSLOG and critical SMF logs to identify unauthorized or inappropriate activities and\nthat unauthorized or inappropriate activities are reported to Service Center management.\n\n\n\n\n                                             15\n\x0c                                                                                                   APPENDIX 1\n                                                                                                   Page 10of 11\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\n\nF. Mainframe Operating System Options\n\nCondition: ADP Services Division management did not implement mainframe operating\n           system options that would strengthen controls over computer programs which\n                                                                               4\n           access sensitive operating system functions. We found 13 libraries that were\n           able to run in the \xe2\x80\x9cAuthorized Program Facility (APF)-authorized\xe2\x80\x9d state, even\n           though the libraries were not required to run in the APF. By running in the\n           APF-authorized state, these libraries may be considered part of the main&me\n           operating system and thus have access to all of the mainframe resources.\n\nCriteria:        IBM\xe2\x80\x99s publication titled \xe2\x80\x9cOS/390 Initialization and Tuning Reference\xe2\x80\x9d states\n                 that \xe2\x80\x9cthe parameter LNKAUTH specifies whether all libraries\xe2\x80\x9d in the\n                 LNKLST* * member? \xe2\x80\x9care to be treated as Authorized Program Facility (APF)-\n                 authorized when accessed as part of the concatenation, or whether only those\n                 libraries that are named in the APF table are to be treated as APF-authorized?\n                 Additionally, the publication addresses managing system security and states\n                 that the \xe2\x80\x9cauthorized program facility (APF) allows your installation to identify\n                 system or user programs that can use sensitive system functions.\xe2\x80\x9d\n\nCause:           Division Management implemented a default option (LNKLST) that allowed\n                 libraries within the LNKLST* * member to run in the APF-authorized state. An\n                 alternative option (APFTAB) is provided which requires only those libraries\n                 that are named specifically in the APF table to be able to run in the APF-\n                 authorized state. The 13 libraries were automatically added to the LNKLST* *\n                 member when the operating system was upgraded in July 1997. Because\n                 Division management did not review the members used to define APF-\n                 authorized libraries, these 13 libraries remained in the LNKLST** member.\n\n\n\n4A library is a collection of programs or data files or a collection of functions (subroutines) that are linked into\nthe main program when it is compiled. (The Computer Language Company, Inc., Computer Desktop\nEncyclopedia, Version 9.4,4th Quarter, 1996.)\n\n\xe2\x80\x98Concatenation means to link together in a series or chain. (Webster\xe2\x80\x99s Ninth New Collegiate Dictionary,\nMerriam-Webster Inc., Springfield, Massachusetts, 1989, p. 27 1.)\n\n6LNIUST** member \xe2\x80\x9cdefmes the collection of program libraries to be searched, in sequence, for programs\nwhen no specific [library] has been supplied in the job stream.\xe2\x80\x9d (Mark S. Hahn, CONSUL Risk Management,\nInc., A Guide to SYSl .PARMLIB, Monograph Series 4, 1 he Information Systems Audit and Control\nFoundation, Inc., Rolling Meadows, Illinois, February 1996, p. 38.)\n\n                                                        16\n\x0c                                                                                 APPENDIX 1\n                                                                                 Page 11 of 11\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\n\n              Further, because Division management implemented the LNKLST option,\n              these 13 libraries were unnecessarily provided the ability to run in the APF-\n              authorized state. Therefore, management did not have assurance that only\n              approved libraries had access to sensitive operating system functions. Based\n              on recommendations of our audit staff during the review, the libraries were\n              removed fi-om the LNKLST** member. However, if the APFTAB option had\n              been used, Division personnel would have been required to enter the 13 library\n              names into the APF table, thus providing additional assurance that only\n              approved libraries would run in the APF-authorized state.\n\nEffect:       By implementing the LNKLST option rather than the APFTAB option, the risk\n              increased for unauthorized libraries to run in an authorized state, thus bypassing\n              operating system controls, and for system integrity to be lost.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate the feasibility of using the APFTAB option, thus providing additional\nassurance that only approved libraries would run in the APF-authorized state.\n\n    2. Perform periodic reviews of all members used to define the APF-authorized libraries\nto ensure that only those required to run in the APF-authorized state are given this authority.\n\n\n\n\n                                              17\n\x0c                                                                               APPENDIX 2\n                                                                                 Page 1 of 6\n\n\n           SUMMARY OF RECOMMENDATIONS AND\n          CORRECTIVE ACTIONS FOR AUDIT REPORT\n     \xe2\x80\x9cMAINFRAME COMPUTER POLICIES AND PROCEDURES,\n         DENVER ADMINISTRATIVE SERVICE CENTER,\n           BUREAU OF RECLAMATION\xe2\x80\x9d (No. 97-I-683)\n\n                                                        Status of Recommendations\n            Recommendations                                and Corrective Actions\n\nA. 1. Require all contractor employees to     Implemented. All contractor employees in the\nhave proper background clearances.            ADP Services Division are required to have\n                                              background clearances. However, the current\n                                              review found that contractor employees in other\n                                              Service Center Divisions did not have\n                                              appropriate clearances.\n\nB.l. Enhance the intruder detection           Implemented. NetWare intruder lockout settings\nsettings to suspend a user account, after     have been modified on all production servers to\nunsuccessful access attempts, for a period    suspend a user identification (ID) for a period of\nof time long enough to ensure that the user   24 hours after three incorrect log-in attempts\nwill have to contact an administrator to      have been made within a 24-hour period.\nhave the user ID reset.\n\nCl. Develop and periodically update a         Implemented. Subsequent to the completion of\ndisaster recovery plan for the LAN.           current fieldwork, the LAN Disaster recovery\n                                              Plan was completed.\n\nD.l. Ensure that LAN security and             Implemented. The password change interval has\npassword features are implemented which       been revised to 90 days or less on all servers.\nwill require all users to change passwords    Unique passwords are required for all individual\nevery 90 days; enforce unique password        users. Concurrent multiple connection authority\nuse; and limit concurrent multiple or         has been removed from all accounts except for\nunlimited connections to one per user and     those where a demonstrated need exists.\ngrant additional connections on an as-\nneeded basis.\n\nD.2. Include the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d             Implemented. A procedure to secure the console\ncommand in the AUTOEXEC.NCF file on           on all Service Center file servers was\nall file servers to prevent users from        implemented. At the monitor console screen, the\ngaining access to the system files in DOS     \xe2\x80\x9cLOCK FILE SERVER CONSOLE OPTION\xe2\x80\x9d\nmode.                                         was implemented to lock the system console\n                                              manually whenever the server is initialized.\n\n\n                                              18\n\x0c                                                                              APPENDIX 2\n                                                                                Page 2 of 6\n\n\n\n\n                                                      Status of Recommendations and\n            Recommendations                                  Corrective Actions\n\n\nD.3. Ensure that the command \xe2\x80\x9cSET              Partially implemented. All Service Center\nALLOW        UNENCRYPTED                        NetWare servers will be configured to require\nPASSWORD=ON\xe2\x80\x9d is not present in the              encrypted passwords when all Service Center\nAUTOEXEC.NCF file.                              NetWare file servers have been migrated to\n                                                NetWare Directory Services. This is 75 percent\n                                                implemented. The target date for full\n                                                implementation originally was March 3 1, 1998,\n                                                but the date has been changed to September 30,\n                                                1998.\n\nE.l. Coordinate with the client to limit        Implemented. As requested by the Service\nService Center users\xe2\x80\x99 access to the \xe2\x80\x9cleast     Center, the client has changed FFS security so\nprivileged\xe2\x80\x9d in the FFS application; that is,   that no employee has access to both vendor\nassurance should be provided that any user     tables and disbursement documents.\nauthorized to enter or change the vendor\ntable does not also have access to\ndisbursing documents.\n\nF. 1. Document procedures for the issuance     Implemented. Procedures for the issuance of\nof key cards and require that the              card keys for vendors, contractors, and Federal\nprocedures be instituted for vendors in        employees have been documented.\naddition to contractors and Federal\nemployees.\n\nF.2. Evaluate the need for individuals Implemented. The evaluation has been\noutside of the ADP Services Division to completed. Permanent card keys are issued to\nbe issued permanent card keys because only those individuals deemed appropriate.\nsuch access should be limited to those\nindividuals performing their day-to-day\nduties.\n\n\n\n\n                                               19\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 3 of 6\n\n\n\n\n                                                        Status of Recommendations and\n             Recommendations                                   Corrective Actions\n\n\n F.3. Document procedures to ensure the Implemented. Procedures for monitoring visitor\n Service Center\xe2\x80\x99s compliance with the access to the computer room have been\n Department of the Interior Automated documented in compliance with the\nInformation Systems Handbook regarding Departmental Handbook.\nvisitor (such as maintenance personnel,\njanitorial staff, and vendors) monitoring.\n\nG. 1. Evaluate the feasibility of setting the    Implemented. Evaluation of using one numeric\nparameters in RACF security software to          or special character as part of the Service Center\nrequire one numeric or special character as      standard password has been completed. Service\npart of the password, as recommended by          Center management, in coordination with its\nthe Bureau\xe2\x80\x99s Security Administrator.             clients, determined that requiring numeric or\n                                                 special characters as part of the password was not\n                                                 feasible.\n\nG.2. Reevaluate the standard RACF                Partially implemented. The Service Center\npassword change intervals and revocation         issued a memorandum to the system owners in\nsettings to ensure that the level of risk        October 1997 outlining the alternatives identified\nassociated with the mainframe                    in the feasibility study referenced in\napplications and the current password            Recommendation G. 1.            System owners\nsettings is acceptable to the Service            responded in December 1997, agreeing to reduce\nCenter, as well as to its clients and the        the expiration period for passwords from 180\nDepartment, and address the results in a         days to 90 days, reduce the allowable period of\ncurrent risk assessment.                         inactivity of a user ID from 180 days to 90 days,\n                                                 and remove inactive user IDS from the system\n                                                 after 1 year of inactivity. With the exception of\n                                                 one client, all inactive users are removed\n                                                 manually once a month. Procedures for removing\n                                                 Social Security inactive users are being\n                                                 developed.\n\nH. 1. Evaluate the feasibility of limiting the   Implemented. Evaluation has been completed.\nnumber of Service Center users who have          This authority has been limited to three senior-\naccess authority to alter SMF logs.              level system programmers who work in the\n                                                 System Software Management Branch.\n\n\n\n                                                 20\n\x0c                                                                               APPENDIX 2\n                                                                                 Page 4 of 6\n\n\n\n\n                                                     Status of Recommendations and\n            Recommendations                                 Corrective Actions\n\n\nH.2. Ensure that the SMF record type 60       Implemented. Batch and TSO type 60 records\nlogging is active or RACF settings are        are written to the SMF log. Type 60 record\nadjusted to specifically audit critical       collection has been activated for \xe2\x80\x9cstarted tasks\xe2\x80\x9d\ndatasets maintained on the mainframe          as well.\ncomputers and to therefore provide an\naudit trail of system activity.\n\nI. 1. Evaluate the extent to which the        Implemented. Evaluation has been completed.\n\xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute should be              Assignment of the OPERATIONS attribute has\navailable to Service Center user IDS.         been restricted to employees who need the\nSpecifically, the use of other more           attribute to perform their duties.\nrestrictive RACF authorities (such as\nDASDVOL authority) should be\nconsidered where possible.\n\n1.2. Activate the security feature RACF       Implemented. The feature OPERAUDIT has\nOPERAUDIT and ensure that security            been activated, and the resultant logs will be\npersonnel perform periodic reviews of the     reviewed on a quarterly basis by the Service\nresultant logs to identify unauthorized       Center Computer Security Manager.\nactivity.\n\nJ. 1. Ensure that the group responsible for   Partially implemented. The identification of\nmonitoring security performs periodic         critical datasets has been completed, and a\nreviews of user access levels to identify     requirement to perform periodic reviews of\nrequired necessary changes and to ensure      reports auditing the critical datasets has been\nthat user access levels are authorized.       established. Performance of these actions would\n                                              enable monitoring personnel to identify user\n                                              access levels; however, the actions would not\n                                              ensure that the user access level was authorized.\n                                              Therefore, procedures need to be established to\n                                              compare the critical dataset reports with\n                                              approved user authorization requests.\n\n\n\n\n                                              21\n\x0c                                                                                 APPENDIX 2\n                                                                                   Page 5 of 6\n\n\n\n\n                                                       Status of Recommendations and\n            Recommendations                                   Corrective Actions\n\n\n5.2. Institute a policy of \xe2\x80\x9cleast privileged\xe2\x80\x9d    Implemented. A policy of \xe2\x80\x9cleast privileged\xe2\x80\x9d\naccess levels to ensure that access to           access is in place.\nresources and data is limited to those users\nwho require such access.\n\nK. 1. Evaluate the staffing requirements of     Implemented. The ADP Services Division has\nthe group responsible for monitoring            completed the evaluation and has identified\nsecurity to ensure the separation of duties     adequate staffing within the Division for\nwithin RACF.                                    accomplishing the separation of the security\n                                                administration and auditing functions. The\n                                                security administration function will be\n                                                maintained with the same staffing levels. The\n                                                security auditing function will be placed within\n                                                a quality management function in the Division\xe2\x80\x99s\n                                                IRM and Customer Service Branch.\n\nL. 1. Document and implement procedures         Implemented. While the Bureau disagreed with\nto ensure that Decentralized Security           the recornrnendation, it has taken action to\nAdministration Facility records are             modify existing policy and procedures to reflect\nupdated for oral access adjustments to          a new process.\nallow for the reconciliation of access\nrequested with access allowed.\n\nM. 1. Provide resources to ensure the Implemented. A computer security plan for 1997\ndevelopment of a computer security plan was developed and submitted to the Department\nfor the sensitive systems in accordance of the Interior\xe2\x80\x99s Office of Information Resources\nwith the Computer Security Act and Management.\nCircular A- 130, Appendix III.\n\nN. 1. Perform a risk analysis of the Service Implemented. A risk analysis of the computer\nCenter\xe2\x80\x99s computer center and its center has been completed.\napplications.\n\n\n\n\n                                                22\n\x0c                                         APPENDIX 2\n                                           Page 6 of 6\n\n\n\n\n                  Status of Recommendations and\nRecommendations          Corrective Actions\n\x0c                            United States Department of the Interior\n\n\n\n                                                                                     JUN 17 I998\nI\\ Kf !\xe2\x80\x98I 1 Rk L-t R f0\n\n\n D-5010\n ADM-8.00\n\n                                                    Memorandum\n                                                                                                                  ,.,rs   ,\n                                                                                      \\\\t-FICI: ;";. \'- : - p \'\n  To:                     Office of Inspector General\n                           Attention: Robert J. Williams, Acting Inspector General\n                                                                                                                          I\n From:\n                          Commissioner\n\n  Subject:\n                          Administrative Service Center, Bureau of Reclamation\n                          (Assignment No. A-IN-BOR-00 l-97)\n\n As required by Departmental Manual 360 DM 5.3, attached is the Bureau of Reclamation\xe2\x80\x99s\n written response to the subject audit report of our mainframe computer operations at the Denver\n Administrative Service Center (ASC). The schedule proposed for implementation of some of the\n recommendations recognizes the ASC\xe2\x80\x99s existing commitment to the complete implementation of\n the Federal Personnel Payroll System (FPPS) by the end of calendar year 1998.\n\n While we generally support the audit recommendations, some of the discussion in the report is\n misleading and should be clarified. The report language regarding the FPPS system did not\n adequately consider that FPPS was under development during the time of the audit. According to\n the drafl report, the period of audit coverage was fiscal year 1997. The FPPS was still in a\n development mode at that time, and there is a considerable difference between a software project\n in the development mode versus the maintenance mode. Some of the report language (e.g., page\n 10 of the draft report) could lead a reader to believe that FPPS is presently an unstable system.\n This is not true and should be clarified before the report is issued in final form.\n\n We appreciate the opportunity to comment on the audit recommendations and anticipate working\n with your office towards a constructive resolution. If you have any questions or concerns, please\n contact Stan DUM, Administrative Service Center Director, at (303) 969-7200.\n\n\n\n\n Attachment\n\n  cc. Assistant Secretary - Water and Science, Attention: Carla Burzyk\n         (w/ attachment)\n\n                                                           24\n\x0c                                                                                             APPE,"JllIX 3\n                                                                                             Page        2 of 15\n\n\n\n\n                 OIG Draft Report \xe2\x80\x9cFollowup of Mainframe Computer Policies\n                       and Procedures, Administrative Service Center\xe2\x80\x9d\n\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nA. Background Clearance-s\n\nCondition: In our prior report, we recommended that Service Center management require all\n            contractor employees to have proper background clearances. However, during our\n            current audit, we found that contractor personnel at the ADP Services Division had\n            received background clearances but that not all contractor personnel at the FPPS\n            and Financial Systems Divisions had received background clearances. Additionally,\n            Service Center Federal personnel involved in designing, developing, operating, or\n            maintaining sensitive automated systems did not have background checks and\n            security clearances commensurate with their job responsibilities and the sensitivity of\n            the information accessed. Speci&ally, 154 of the 189 Service Center employees\n            who performed these ADP-related duties did not have the appropriate ADP\n            background clearances.\n\nCriteria:   Office of Management and Budget Circular A-130, Appendix III, \xe2\x80\x9cSecurity of\n            Federal Automated Information Resources,\xe2\x80\x9d requires agencies to establish and\n            manage security policies, standards, and procedures that include requirements for\n            screening individuals participating in the design, development, operation, or\n            maintenance of sensitive applications or those having access to sensitive data. In\n            addition\xe2\x80\x99 the Departmental Manual (441 DM 4.6) requires position sensitivity levels\n            of \xe2\x80\x9cnon-critical sensitive\xe2\x80\x9d or \xe2\x80\x9ccritical sensitive\xe2\x80\x9d and associated security clearances for\n            ADP-related positions for which employees are required to design, test, operate, and\n            maintain sensitive computer systems. Security clearances are also required of\n            employees who have access to or process sensitive data requiring protection under\n            the Privacy Act of 1974. Further, the Departmental Manual (441 DM 5.15) requires\n            that all consultants or contractors performing ADP-related sensitive and critical\n            duties have background investigations to determine position suitability and to receive\n            a security clearance.\n                                                     .   .\nCause:      Service Center management had not uniformly developed and implemented, across\n            all Service Center Divisions, personnel security policies requiring contractor\n            personnel who perform ADP-related sensitive and critical duties to be screened for\n            position suitability. Additionally, Service Center management did not ensure that the\n            level of position sensitivity for ADP-related positions was assigned at the level\n            commensurate with the risk and sensitivity of the data accessed and processed and\n            that background checks were performed on employees who filled these positions.\n\n\n\n                                                 1\n                                            25\n\x0c                                                                                             APPEXDIX 3\n                                                                                             Page 3 of 15\n\n\nEffect:      Without proper personnel background investigations, managers had limited\n             knowledge of the suitability of their employees and contractors, from a security\n             standpoint, for their respective jobs. Without this assurance, there was an increased\n             risk that the Service Center\xe2\x80\x99s sensitive systems could be impaired or compromised\n             by personnel.\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Develop and implement policies and procedures which require contractor employees who\nfill ADP-related sensitive or critical positions to have documented suitability screening and proper\nbackground investigations and appropriate security clearances.\n\n    Response\n\n   Concur. The Denver Administrative Service Center (ASC) will develop and distribute policy\n   to all affected ASC offices regarding security clearances and background investigations for\n   contractor personnel. The policy will be distributed by October 1, 1998. In addition, the\n   ASC will review and amend as necessary all personnel contracts to include the requirement for\n   background investigations and security clearances for existing and future contract personnel\n   by January 1, 1999. The responsible official is the Chief, Applications Management Office.\n\n   There are two types of contractual service arrangements at the ASC. Some employees work\n   under a third-party contract with other agencies, usually the General Services Administration\n   (GSA). In these cases, the servicing agency contract controls all contractual requirements\n   and clauses. The requesting agency (ASC) may outline additional security requirements in the\n   task order statement of work as long as the additional requirements are within the parameters\n   of the original contract. All GSA contractors in both the ADP Services and Financial Systems\n   Division were subject to background security investigations through GSA\xe2\x80\x99s requirements and\n   procedures. These investigations were completed as-of May 1997. As of March 1998, the\n   Federal Personnel Payroll System (FPPS) Program Management Division contractor\n   employees changed from a Department of the Army contract to a GSA contract. As a result\n   of the preliminary audit findings, ASC security requirements were added to the task order\n   under the GSA contract.\n\n\n   Another type of contractual arrangement is a direct contract between the ASC and the service\n   contractor. All current direct contracts either already have the proper security clauses or will\n   have the proper clauses by January 1, 1999, to comply with security requirements. All\n   existing and future contractual service agreements will be reviewed to ensure compliance with\n   the requirements for background security checks.\n\n    2. Evaluate the position sensitivity of ADP-related positions, assign position sensitivity levels\nin accordance with the Departmental Manual, and ensure that those employees working on\nsensitive systems have the proper background investigations and security clearances before they\nare assigned to the positions.\n\x0c                                                                                        APPEYDIX 3\n                                                                                        Page 4 of 15\n\n\nResponse\n\nConcur. The ASC will review ADP-related positions in the ASC organizations to veri@ the\nappropriate requirements for background investigations and security clearances, as required by\nthe Departmental Manual to ensure employees working on sensitive systems have the proper\nbackground and security clearances. A complete evaluation of position sensitivities ASC-\nwide and the assignment of sensitivity levels will be completed by April 1, 1999. However,\nthe ASC has no control over when the background investigations on these employees will be\ncompleted. These investigations are performed by an outside contractor. We believe that the\ncontractor can complete most of these investigations by October 1, 1999. The responsible\nofficial is the Chief, Applications Management Office.\n\nPosition sensitivity evaluations for the ADP Services Division have been completed and the\nresults of several background investigations received. The AX began position sensitivity\nevaluations in the FPPS Division in June of 1998 with background investigations to follow.\nPosition sensitivity evaluations for the Financial Systems Division (FSD) and PAYLPERS\nDivision will commence after management decisions are made regarding potential\nreorganizations impacting the positions in these divisions.\n\nWhile the ASC can control the position sensitivity evaluation process, it cannot control the\ntimeframes in which the background investigations and security clearances are completed.\nThe audit recommendation states that the background investigations and security clearances\nshould be completed before the individuals are assigned to the positions. Our understanding is\nthat this criteria only applies to positions classified as \xe2\x80\x9cSensitive\xe2\x80\x9d (of which ASC has had very\nfew thus far). Therefore, our concurrence is based on the understanding that employees\ncurrently occupying positions classified as \xe2\x80\x9cNon-Sensitive\xe2\x80\x9d may continue in those positions\nuntil such time as completed background investigations either confirm or rebut the\nappropriateness of their placement in these jobs.\n\x0c                                                                                                 APPETIDIX 3\n                                                                                                 Page 5 of 15\n\n\n\n\n          PTJTER C1FtNTER MANAtXMENT AJW3 C)PF\xe2\x80\x99Tl~NS\n\nB. Operating Efficiencies\n\nCondition: At the Service Center, each division controlled the process of moving changed\n               software from the test to the production environment, different software tools were\n               used to control the movement of the changed software, and internal and external\n               clients controlled their mainframe computer production scheduling.\n\nCriteria:      Office of Management and Budget Circular A- 130 states that management should\n               oversee its processes to maximize return on investment and minimize financial and\n               operational risk. Further, the Circular requires that financial management systems\n               conform to the requirements of Office of Management and Budget Circular A-127,\n               \xe2\x80\x9cFinancial Management Systems. \xe2\x80\x9d Circular A- 127 requires that agency financial\n               management systems process financial events effectively and efficiently.\n\nCause:         Service Center management did not ensure that its processes were operating\n               efficiently because of preferences of internal and external clients and because\n               management had not developed and implemented consistent standards for\n               controlling operational processes.\n\nEffect:        There was an increased risk that changed software would negatively impact the\n               mainframe computer operating system; costs of maintaining different software tools\n               would increase Service Center operating costs, which would be passed onto clients;\n               and mainframe computer usage could be reduced. Additionally, without centralized\n               control of production scheduling, there was an increased risk that critical processing\n               jobs would not receive the required priority.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, in coordination with the Service\nCenter\xe2\x80\x99s internal and external clients, evaluate the feasibility of centralizing the process of moving\nchanged software from the test environment to the production environment, using standardized\nsoftware tools to control the software change process, and centralizing mainf?ame computer\nproduction scheduling.\n\n          Response\n\n          Concur. The ASC will in coordination with internal and external clients perform an\n          evaluation of the feasibility of centralized software change management. The feasibility\n          analysis will include evaluating the viability of a standard software change management\n          tool and make recommendations to management by October 1, 1999. In addition to\n          evaluating centralized software change management, the ASC will also evaluate the\n          feasibility of centralized computer production scheduling. Should the feasibility evaluation\n          indicate that centralized change management and production scheduling is cost beneficial,\n\x0c                                                                                   ""\'ZxlIX 3\n                                                                                   \xe2\x80\x98A\n                                                                                                 I\n                                                                                   Pqe 6 of 15\n\n\n\nadditional implementation time beyond the October 1, 1999, date will be necessary. The\nresponsible official is the Chief Applications Management Office.\n\nThere are several issues which this feasibility evaluation will need to consider. Due to the\nvariety of customers ASC serves, centralized software change management will require\ntechnical expertise in a variety of different customer practices and utilities. Software\nchange management is no longer simply a Common Business Oriented Language\n(COBOL) exercise. Without even considering the software change management tools\nour customers are using, there are multiple change management software tools even within\nthe ASC. ChangeMan is the selected ASC change management software product that\ncontrols day-to-day changes on the IBM computer. This product is in various phases of\nimplementation throughout the ASC. However, ChangeMan will not work within the\nCOM-PLETEINatural environment which FPPS uses. The PAC change management\nsoftware tool was selected for this environment, due to the uniqueness of the Natural\nlanguage. Since the intent of this recommendation appears to address the overall\nefficiency of mainf?arne computer operations, the intent of the feasibility evaluation will\naddress this same concern as well.\n\n\n\n\n                                   29    5\n\x0c                                                                                                      APPTJDIX 3\n                                                                                                      Page 7 of 15\n\n\n\n\nSOFTWARE CHANGE MANAGEMENT\n\nC. Application Software Change Management Controls\n\nCondition: Software changes made to the FPPS during the latter stages of development and the\n              early stages of implementation were not approved, reviewed, or evaluated\n              adequately before changed software was installed for use in production;\n              documentation was not adequate to monitor changes made to the software; and\n              available library control software\xe2\x80\x99 was not implemented to ensure consistency and\n              completeness throughout the FPPS application.\n\nCriteria:     Federal Information Processing Standards Publication 106, \xe2\x80\x9cGuideline on Software\n              Maintenance,\xe2\x80\x9d provides guidelines for managing software maintenance. Publication\n              106 states that all software changes should be carefully evaluated and formally\n              reviewed prior to installing the changed software. The publication further states, \xe2\x80\x9cIn\n              order to monitor maintenance effectively, all activities must be documented. . . . The\n              key to successful documentation is that not only must the necessary information be\n              recorded, it must be easily and quickly retrievable by the maintainer.\xe2\x80\x9d In addition,\n              FPPS Division policies and procedures require that all changes to the FPPS\n              application be thoroughly documented, be accepted by all involved parties, and pass\n              a quality assurance review.\n\nCause:       FPPS Division management did not ensure that Division personnel followed\n             software change management practices for making soflware changes to the FPPS\n             application because of the time constraints to implement FPPS and because FPPS\n             was encountering problems and was considered by Division personnel to be\n             unstable. In addition, we found that FPPS Division management did not hold its\n             personnel accountable for complying with Division policies and procedures when\n             they made changes to the FPPS application. Further, FPPS Division management\n             said that they did not implement the available library control software, which would\n             ensure adequate documentation of the FPPS application, because at that time, the\n             vendor library control software was not working correctly.\n\nEffect:      There was an increased risk that the changes made to the FPPS application would\n             not perform according to specifications, which could adversely affect user\n             satisfaction and could adversely impact other applications interfacing with the FPPS\n             application or the mainframe operating system.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n\n\n   \xe2\x80\x98Library control so&we is a system for keeping track of changes to and versions of software programs,\n   documenting components to build executable programs, and preventing unauthorized access to program f&s.\n\n                                                3;3\n                                                      6\n\x0c    1. Require that software changes be adequately reviewed and approved before the changes\nare implemented.\n\n       Response\n\n       Complied. Currently, FPPS Standard Operating Procedures (SOP) require that any\n       software changes complete the following steps:\n            Be approved by FPPS management before programming begins.\n            Be migrated to a dedicated test environment upon completion with an explanation of\n            the change(s) made.\n            Be independently tested and approved for production by FPPS Functional Analysts\n            and have the test results and documentation reviewed and approved by an FPPS\n            Functional Lead.\n            Be independently migrated to production by the FPPS Database Administrative staff\n            along with any database changes required.\n\n       This !3OP is enforced by FPPS Management.\n\n   2. Implement procedures to ensure that all software changes to the FPPS application are\nproperly documented.\n\n       Response\n\n       Complied. The FPPS SOP requires that any software changes be fully documented on\n       the change request form or problem report form. It also requires that any change (s) made\n       be fully documented on the migration request forms and that a responsible person\xe2\x80\x99s\n       signature be provided at each step along the way. Upon migration to production, all\n       paperwork is filed for easy retrieval.\n\n       This SOP is enforced by FPPS Management.\n\n   3. Implement the available library control software when corrected to ensure adequate\ndocumentation of the FPPS application.\n\n       Response\n\n       Concur. The available library control software is in the process of being implemented for\n       testing. Once it is to the stage that it will meet all our migration needs and is fully tested,\n\n       it will be implemented. The target date to debug, test, and render a \xe2\x80\x9cgo or no-go\xe2\x80\x9d\n       decision on implementation of available library control software is July 1, 1999. The\n       responsible official is the Chief, Applications Management Office.\n       The FPPS SOP does provide adequate documentation and an organized systematic\n       migration approach which also provides separation of duties. This SOP can also be used\n       for emergency change reports which are a fact of life for any new system. One of the\n\n\n                                                  7\n                                             31\n\x0c                                                                                    APPE"3DIX \',\n                                                                                    Page 9 of 15\n\n\n\nreasons the library control software is not used is that it does not provide emergency\nchange flexibility as our current SOP does. As FPPS completes the transition f?om a\ndevelopment mode to a maintenance mode, the computer operating environment will\nalmost certainly change substantially. It will take time to determine how interrelated\nconditions will develop so as to determine specifically what corrections are needed to\nmake the library control software operational.\n\x0c                                                                                              "\'PETTDIX 3\n                                                                                             .--\n                                                                                             Tage 10 of 15\n\n\n\n\nSOFTWARE CHANGE MANAGEMENT\n\n\nD. Operating System Software Change Management\n\nCondition: Change controls over the mainframe computer operating system software were not\n            adequate. The ADP Services Division change control procedures did not address\n            adequate separation of duties between the development, test, and installation\n            functions. Thus, one individual could perform all of these critical functions. In\n            addition, the change control procedures did not ensure that all changes were\n            properly approved by Division management. While the change management\n            procedures required approval of all software changes, changes were made without\n            documented evidence of approval.\n\nCriteria:   Appendix III of Office of Management and Budget Circular A- 130 states that one of\n            the minimum controls required in a general support system is personnel controls.\n            One such control is separation of duties, which is \xe2\x80\x9cthe practice of dividing the steps\n            in a critical function among different individuals.\xe2\x80\x9d Also, Federal Information\n            Processing Standards Publication 106 states that \xe2\x80\x9cto be effective, the policy should\n            be consistently applied and must be supported and promulgated by upper\n            management to the extent that it establishes an organizational commitment to\n            software maintenance. \xe2\x80\x9d In addition, Publication 106 states that \xe2\x80\x9cprior to installation,\n            each change (correction, update, or enhancement) to a system should be formally\n            reviewed.\xe2\x80\x9d Finally, Division system change request procedures require that all\n            change requests be approved by the appropriate branch chief\n\nCause:      ADP Services Division management did not ensure that appropriate separation of\n            duties existed in developing and testing mainframe operating system software and\n            parameter changes and in moving operating system software and parameter changes\n            into the production environment, although the number of employees within the\n            Division may allow for a separation of these duties. Additionally, Division\n            management had not implemented controls to ensure that the process of making\n            system software changes was in compliance with its documented procedures.\n            Further, management had not implemented procedures to require periodic reviews of\n            critical datasets and system parameters to identify inappropriate changes to the\n            mainframe operating system environment. Although Division management had\n            implemented a change control software tool that provided a systematic and\n            automated means of controlling the movement of software changes, all the\n            capabilities of the software tool were not implemented because of other Division\n            priorities.\n\n\n\n\n                                                  9\n                                             33\n\x0c                                                                                         APPEBDIX 3\n                                                                                         Page 11 of 15\n\n\n\nEffect:        There was an increased risk that unauthorized, untested, and undocumented changes\n               could be made to the mainframe computer operating system software and\n               parameters, which would affect system processing and data integrity, and that these\n               changes would not be detected or detected in a timely manner.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate current ADP Services Division procedures and determine the feasibility of\nimplementing controls in the change management process over operating system software to\nensure that adequate separation of duties is addressed and complied with.\n\n    2. Develop procedures and implement controls to ensure that changes to the operating\nsystem parameters are identified, approved by ADP Services Division management, and\ndocumented.\n\n    3. Develop procedures requiring periodic reviews of critical datasets and system parameters.\n\n    4. Evaluate implementing available capabilities in the current change control software tool to\nmore effectively control changes to the operating system software.\n                                                    . L .\n          Response\n\n          Concur. The ASC will implement the recommended actions by July 1, 1999.      The\n          responsible official is the Chiefl ADP Services Division.\n\n\n\n\n                                                 10\n                                           34\n\x0c                                                                                                           APPENDIX 3      I\n                                                                                                           Page 12 of 15\n\n\n\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\nE. System Audit Tools\n\nCondition: Service Center management did not use available mainframe computer operating\n              system audit tools that would improve integrity over system processing and data and\n              that would detect inappropriate actions by authorized users. Specifically:\n\n                  - Operating system integrity verification and audit software was not used. Such\n              software could assist data center and installation security management in identifying\n              and controlling the mtiame computer operating system\xe2\x80\x99s security exposures that\n              may result from system setting options; from installing \xe2\x80\x9cback doors\xe2\x80\x9d to the operating\n              system; and from introducing viruses and Trojan horses, which can destroy\n              production dependability and circumvent existing security measures.\n\n                  - Computer operators and system programmers had the capability to change the\n              system initialization process and thus affect system processing. System options that\n              would log the results in the SYSLOG\xe2\x80\x99 of actions taken by the computer operators\n              and system programmers affecting mainframe operating system configuration were\n              not implemented. Therefore, an audit trail of the system initialization process and\n              changes to the operating system configuration could not be produced for periodic\n              review. Based on recommendations made by our audit staff during the review,\n              Service Center management implemented the logging capabilities within the system;\n              however, procedures had not been developed and implemented to require periodic\n              reviews of the logs.\n\n                  - Periodic reviews of critical System Management Facility (SMF)3 logs to\n              identify unauthorized changes to data by authorized users and critical events\n              affecting system processing were not performed. For example, reviews were not\n              performed of record type 7, which records when the system audit trail is lost, and\n              record type 90, which records events such as SET TIME, SET DATE, and SET\n              SMF, all of which affect system processing and audit trails.\n\nCriteria:     Appendix III of Office of Management and Budget Circular A-130 requires agencies\n              to establish controls to ensure adequate security for all information processed,\n              transmitted, or stored in Federal automated information systems. In addition, the\n              Circular states that individual accountability is one of the personnel controls required\n              in a general support system. The Circular further states that an example of one of\n              the controls to ensure individual accountability includes reviewing or looking at\n\n   *SYSLOG is an audit trail that logs the results of actions taken by computer operators and system programmers\n   during system initialization.                           .\n\n   3The System Management Facility (SMF) logs record all system activity and serve as an audit trail of system\n   activity, including identi@ing users who performed the activity.\n\n                                                        11\n                                                   35\n\x0c                                                                                              APPEXDIX 5      I\n                                                                                              Page 13 of 15\n\n\n               patterns of users\xe2\x80\x99 behavior, which requires periodic reviews of the audit trails. Also,\n               the National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cAn Introduction to Computer\n               Security: The NIST Handbook\xe2\x80\x9d states that audit trails are \xe2\x80\x9ctechnical mechanisms\xe2\x80\x9d to\n               achieve individual accountability.\n\nCause:         Service Center management did not acquire operating system integrity and\n               verification software, did not encourage the use of available system audit trails to\n               detect and identify inappropriate actions affecting the system processing and data\n               integrity, and did not establish procedures requiring periodic reviews of available\n               system logs. Instead, Service Center management relied on its stafFto make\n               appropriate changes to the system initialization process and on authorized users to\n                                                                                          8\n               make only appropriate changes.\n\nEffect:        As a result, there was an increased risk that mainframe computer operating system\n               security exposures would not be identified. Additionally, without periodic reviews\n               of the system audit trails, there was an increased risk that processing problems or\n               unauthorized activities would not be detected or detected timely and that the\n               responsible individuals would not be held accountable for the inappropriate actions.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate acquiring system verification and auditing software.\n\n          Response\n\n          Concur. The ASC will develop functional requirements and identify additional resources\n          necessary to manage and conduct evaluation of existing verification and auditing products\n          to determine cost and capability. Should a software product be found which complies\n          with our requirements, it will be implemented by January 1, 1999. The responsible official\n          is the Chief, ADP Services Division.\n\n   2. Develop and implement procedures to ensure that periodic reviews are performed of the\nSYSLOG and critical SMF logs to identify unauthorized or inappropriate activities and that\nunauthorized or inappropriate activities are reported to Service Center management.\n\n          Response\n\n          Concur. The ASC will develop and implement procedures for reviewing SYSLOG and\n          critical SMF logs by July 1, 1999. The responsible official is the Chief, ADP Services\n          Division.\n\n\n\n\n                                             \xe2\x80\x98=:\xe2\x80\x99   12\n\x0c                                                                                                                     APPENDIX 3\n                                                                                                                     Page 14 of 15\n\n\n\n\nMAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE\n\n\nF. Mainframe Operating System Options\nCondition: ADP Services Division management did not implement mainframe operating system\n           options that would strengthen controls over computer programs which access\n           sensitive operating system functions. We found 13 libraries4 that were able to run in\n           the \xe2\x80\x9cAuthorized Program Facility (APF)-authorized\xe2\x80\x9d state, even though the libraries\n           were not required to run in the APF. By running in the APF-authorized state, these\n           libraries may be considered part of the mainframe operating system and thus have\n           access to all of the mainframe resources.\n\nCriteria:      IBM\xe2\x80\x99s publication titled \xe2\x80\x9cOS/390 Initialization and Tuning Reference\xe2\x80\x9d states that\n               \xe2\x80\x9cthe parameter LNKAUTH specifies whether all libraries\xe2\x80\x9d in the LNKLST**\n               membei \xe2\x80\x9care to be treated as Authorized Program Facility (APF)-authorized when\n               accessed as part of the concatenation, or whether only those libraries that are named\n               in the APF table are to be treated as APF-authorized.\xe2\x80\x9c6 Additionally, the publication\n               addresses managing system security and states that the \xe2\x80\x9cauthorized program facility\n               (APF) allows your installation to identify system or user programs that can use\n               sensitive system functions. \xe2\x80\x9d\n\nCause:         Division Management implemented a default option (LNKLST) that allowed\n               libraries within the LNKLST** member to run in the APF-authorized state. An\n               alternative option (APFTAB) is provided which requires only those libraries that are\n               named specifically in the APF table to be able to run in the APF-authorized state.\n               The 13 libraries were automatically added to the LNKLST** member when the\n               operating system was upgraded in July 1997. Because Division management did not\n               review the members used to define APF-authorized libraries, these 13 libraries\n               remained in the LNKLST** member. Further, because Division management\n               implemented the LNKLST option, these 13 libraries were unnecessarily provided the\n               ability to run in the APF-authorized state. Therefore, management did not have\n               assurance that only approved libraries had access to sensitive operating system\n               functions. Based on recommendations of our audit staff\xe2\x80\x99 during the review, the\n\n\n   4A library is a collection of programs or data files or a collection of functions (subroutines) that are linked into the\n   main program when it is compiled. (The Computer Language Company, hrc., ComDuter DesktoD~ncvcloDedi~\n   Version 9.4,4th Quarter, 1996.)\n\n   5Con~on me8Ils to link together in a series or chain. (We ~Merriam-\n                                                              \xe2\x80\x98s \xe2\x80\x99\n   Webster Inc., Springfield, Massachusetts, 1989, p. 27 1.)\n\n\n   %NKLST\xe2\x80\x99j member \xe2\x80\x9cdefines the collection of program libraries to be searched, in sequence, for programs when\n   no specific [library] has been supplied in the job stream.\xe2\x80\x9d (Mark S. Hahn CONSUL Risk Management, Inc., A\n   Guide to SYSl .PARMLIB. MonoeraDh Series 4, The Information Systems Audit and Control Foundation, Inc.,\n   Rolling Meadows, Illinois, February 1996, p. 38.)\n\x0c                                                                                             APPE3DIX 3\n                                                                                             Page 15 of 15\n\n\n\n               libraries were removed from the LNKLST** member. However, if the APFTAB\n               option had been used, Division personnel would have been required to enter the 13\n               library names into the APF table, thus providing additional assurance that only\n               approved libraries would run in the APF-authorized state.\n\nEffect:        By implementing the LNKLST option rather than the APFTAB option, the risk\n               increased for unauthorized libraries to run in an authorized state, thus bypassing\n               operating system controls, and for system integrity to be lost.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate the feasibility of using the APFTAB option, thus providing additional assurance\nthat only approved libraries would run in the APF-authorized state.\n\n          Response\n\n          Concur. The ASC will review the existing control methodology and determine ifusing\n          the APFTAB option would provide enough additional safeguards to justify its\n          implementation. The review will be completed and recommendations provided to\n          management by July 1, 1998. The responsible official is the Chief, ADP Services Division.\n\n   2. Perform periodic reviews of all members used to define the APF-authorized libraries to\nensure that only those required to run in the APF-authorized state are given this authority.\n\n          Response\n\n          Concur. The ASC will by October 1, 1998, develop procedures requiring periodic\n          reviews of members used to define the APF-authorized libraries. The responsible official\n          is the Chief, ADP Services Division.\n\x0c                                                                          APPENDlX 4\n\n\n\n   STATUS OF CURRENT AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n        Reference                    Status                    Action Required\n\n\n      C.l and C.2          Implemented.                 No further action is required.\n\nA.l, A.2, B.1, C.3, D.l,   Resolved; not implemented.   No further response to the\nD.2, D.3, D.4, E.l, E.2,                                Office of Inspector General is\nF.l, and F.2                                            required. The recommendations\n                                                        will be referred to the Assistant\n                                                        Secretary f o r P o l i c y ,\n                                                        Management and Budget for\n                                                        tracking of implementation.\n\n\n\n\n                                          39\n\x0c                                                                           APPENDIX 5\n\n\n\n     STATUS OF PRIOR AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n       Reference                       Status                    Action Required\n\nA.l, B.l, Cl, D.l, D.2,      Implemented.                 No further action is required.\nE.l, F.l, F.2, F.3, G.l,\nH.l, H.2,1.1,1.2,5.2, K.1,\nL.l, M.l, N.l, N.2, and\n0.1\n\nD.3, G.2, and J.l            Resolved; not implemented.   No further response to the\n                                                          Office of Inspector General is\n                                                          required. The information\n                                                          regarding the status of these\n                                                          recommendations will be\n                                                          provided to the Assistant\n                                                          Secretary for Policy,\n                                                          Management and Budget for\n                                                          tracking of implementation.\n\n\n\n\n                                            40\n\x0c               ILLEGAL OR WASTEFUL ACTIVITIES\n                   SHOULD BE REPORTED TO\n             THE OFFICE OF INSPECTOR GENERAL BY:\n\nSending written documents to:                                  Calling:\n\n\n                     Within the Continental United States\n\nU.S. Department of the Interior                       Our 24-hour\nOffice of Inspector General                           Telephone HOTLINE\n1849 C Street, N.W.                                   l-800-424-508 1 or\nMail Stop 5341                                        (202) 2085300\nWashington, D. C . 20240\n\n\n                                                      TDD for hearing impaired\n                                                      (202) 208-2420 or\n                                                      l-800-354-0996\n\n\n                     Outside the Continental United States\n\n                                     Caribbean Retion\n\nU. S . Department of the Interior                     (703) 235-922 1\nOffice of Inspector General\nEastern Division - Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22201\n\n                                    North Pacific Retion\n\nU.S. Department of the Interior                       (67 1) 647-605 1\nOffice of Inspector General\nNorth Pacific Region\n415 Chalan San Antonio\nBaltej Pavilion, Suite 306\nTamuning, Guam 96911\n\x0cToll Free Numbers:\n l-800-424-508 1\n T\xe2\x80\x99DD l-800-354-0996\n\nFIXCommercial Numbers:\n (202) 208-5300\n TDD (202) 208-2420      w\n\n\n\n1849 C Street\xe2\x80\x99 N.W.\nMail Stop 5341\nWashington, D.C. 20240\n\x0c'